CVE-2022-23614
Published: 4 February 2022
Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade.
Notes
| Author | Note |
|---|---|
| ccdm94 | advisory mentions that all versions greater than 2.0.0 and less than 2.14.11 are affected, however, there is no 'arrow' parameter implemented in bionic's version of Twig. As per commit 330024b6, support for the 'arrow' function was only added in Twig 2.12. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
php-twig Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Needed
|
|
| jammy |
Not vulnerable
(3.3.8-2ubuntu4)
|
|
| kinetic |
Not vulnerable
(3.4.2-1)
|
|
| trusty |
Ignored
(out of standard support)
|
|
| upstream |
Released
(2.14.11, 3.3.8)
|
|
| xenial |
Ignored
(out of standard support)
|
|
|
Patches: upstream: https://github.com/twigphp/Twig/commit/22b9dc3c03ee66d7e21d9ed2ca76052b134cb9e9 (2.x) upstream: https://github.com/twigphp/Twig/commit/9e5ca747b6e4015e39df032f00e86200b6916bc7 (3.x) |
||
|
twig Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
| trusty |
Ignored
(out of standard support)
|
|
| upstream |
Released
(2.14.11, 3.3.8)
|
|
| xenial |
Not vulnerable
(code not present)
|
|
|
Patches: upstream: https://github.com/twigphp/Twig/commit/22b9dc3c03ee66d7e21d9ed2ca76052b134cb9e9 (2.x) upstream: https://github.com/twigphp/Twig/commit/9e5ca747b6e4015e39df032f00e86200b6916bc7 (3.x) |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 9.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23614
- https://github.com/twigphp/Twig/commit/2eb33080558611201b55079d07ac88f207b466d5
- https://github.com/twigphp/Twig/commit/22b9dc3c03ee66d7e21d9ed2ca76052b134cb9e9
- https://github.com/twigphp/Twig/security/advisories/GHSA-5mv2-rx3q-4w2v
- https://ubuntu.com/security/notices/USN-5947-1
- NVD
- Launchpad
- Debian